Bugtraq mailing list archives
Re: Password Generation during RH Linux 6.x Installation
From: escher () SPOILED ORG (Fabian Kroenner)
Date: Thu, 8 Jun 2000 20:56:38 +0200
On Wed, Jun 07, 2000 at 11:21:42AM -0400, William R. Lorenz wrote:
It seems as though, when entering a root password during RH Linux 6.x installation, the generated password, stored in the shadowed passwords file (/etc/shadow) does not contain a salt. This has occured on three separate machines, and after the root password is changed using the `passwd` command, the salt is included in the encrypted password, as it should be. Can anyone confirm this observation and provide more details? Thanks, in advance.
The issue has been reported to Red Hat in Oct 1999, and to BugTraq in Jan 2000. If affects the installer in Red Hat 6.0 & 6.1. The root password set during installation is never using MD5 encryption, but plain-old crypt(3) instead. It does not affect user-accounts generated during install. Changing the root password after installation is highly recommended on Red Hat Linux 6.0 & 6.1. Red Hat has not issued an official advisory on this. See also: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=5542 http://www.securityportal.com/list-archive/bugtraq/2000/Jan/0273.html Regards... Fabian __________________________________________________________________ pub 1024D/19AB6A00 1999-12-14 Fabian Kroenner <escher () spoiled org> key fingerprint: 2311 6D40 FE1F 9D94 77AD 20CA 2F38 AD9E 19AB 6A00
Current thread:
- Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
- Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
- Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
- Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
- Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
- Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)